US Report Says Hackers Are Responsible For Ukrainian Power Outage

The power outage Ukraine experienced last year that affected more than 225,000 people is one of the first successful attacks that have taken down part of a national power grid.

Since then, several US agencies, including the FBI, NCCIC, DOE, and US-CERT, traveled to Ukraine and worked with the government there to learn from this attack and gain insight.

A report by the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) says that there have “been reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors. Public reports indicate that the BlackEnergy (BE) malware was discovered on the companies’ computer networks, however it is important to note that the role of BE in this event remains unknown pending further technical analysis.”

According to F-Secure, “BlackEnergy is a toolkit that has been used for years by various criminal outfits. In the summer of 2014, we noted that certain samples of BlackEnergy malware began targeting Ukranian [sic] government organizations for information harvesting. These samples were identified as being the work of one group, referred to in this document as “Quedagh”, which has a history of targeting political organizations.”

The ICS-CERT report goes on to explain that the malware was delivered using Microsoft Office attachments:

“Each company also reported that they had been infected with BlackEnergy malware however we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”

Later in the report, ICS-CERT lays out ways organizations can protect themselves and “recommends that asset owners take defensive measures by leveraging best practices to minimize the risk from similar malicious cyber activity.”

The report says that organizations should make use of Application Whitelisting (AWL) because it can “detect and prevent attempted execution of malware uploaded by malicious actors.” It also recommends to “limit Remote Access functionality wherever possible. Modems are especially insecure. Users should implement “monitoring only” access that is enforced by data diodes, and do not rely on “read only” access enforced by software configurations or permissions.”

The three companies affected by the hackers indicated that the hackers wiped some systems by executing malware known as “KillDisk”. It corrupted the MBR (master boot record) making the system “inoperable”. It was also reported that HMIs (Windows-based human-machine interfaces) were overwritten. Serial-to-Ethernet devices were corrupted as well. Even the UPS (Uninterruptable Power Supplies) were disconnected. It is suspected that all of this done in an effort to slow down restoration and recovery from the hack.